The Cybersecurity & Infrastructure Security Agency has issued an Emergency Directive ED 22-03 and released a Cybersecurity Advisory (CSA) about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products.

Chaining unpatched VMware vulnerabilities

The title of the advisory is “Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control”. That’s a bit confusing since there are patches available for these vulnerabilities, but threat actors are actively attacking unpatched systems.

The advisory warns organizations that malicious threat actors, most likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.

CVE-2022-22954: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Server-side template injection is when an attacker is able to inject a malicious payload into a template, which is then executed server-side.

CVE-2022-22960: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to root.

Both these vulnerabilities were patched on April 6, 2022. But it took malicious threat actors less than 48 hours to reverse engineer the vendor updates to develop an exploit and start exploiting these disclosed vulnerabilities in unpatched devices.

On May 18, 2022, CISA said it expects malicious threat actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973 as well.

CVE-2022-22972: is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products.

CVE-2022-22973: is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain “root” privileges.

Mitigation

CISA strongly encourages all organizations to deploy the updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks. CISA added CVE-2022-22954 and CVE-2022-22960 to its catalog of known exploited vulnerabilities, and federal, executive branch, departments, and agencies were all required to patch those vulnerabilities by May 5 and May 6 respectively. It stands to reason that the two new vulnerabilities will follow suit.

CISA encourages organizations with affected VMware products that are accessible from the Internet to assume they have been compromised and to initiate threat hunting activities. To help with the threat hunting, CISA has provided detection methods and indicators of Compromise (IOCs) in the CSA.

In the Response Matrix, as listed in the VMWare advisory, you can find the impacted products and versions.

Update May 27, 2022

Researchers have released a proof-of-concept (PoC) exploit and technical analysis for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products.

After an analysis of the patch the researchers stated:

“Threat actors could easily exploit this issue. Searching on Shodan.io for the affected VMware applications we can find organizations in the healthcare and education industries, and state government potentially vulnerable.”

Update June 3, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Cybersecurity Advisory (CSA) with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs). This CSA also provides TTPs of this activity from trusted third parties to assist administrators with detecting and responding to this activity. 

If you haven’t patched these vulnerabilities yet, you should as soon as possible.